gaschz/qubes-network-server
1
0
Fork 0
mirror of https://github.com/Rudd-O/qubes-network-server.git synced 2025-03-01 14:22:35 +01:00
Code Issues Packages Projects Releases Wiki Activity

Insert custom postrouting chain before masquerade.

Browse Source
This commit is contained in:
Manuel Amador (Rudd-O) 2024-02-20 08:27:57 +00:00
parent 7b5cae5b0e
commit ef4845548f
2 changed files with 29 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
qubes-network-server.spec
View File

@ -3,7 +3,7 @@
%define mybuildnumber %{?build_number}%{?!build_number:1} %define mybuildnumber %{?build_number}%{?!build_number:1}
Name: qubes-network-server Name: qubes-network-server
Version: 0.1.1 Version: 0.1.2
Release: %{mybuildnumber}%{?dist} Release: %{mybuildnumber}%{?dist}
Summary: Turn your Qubes OS into a network server Summary: Turn your Qubes OS into a network server
BuildArch: noarch BuildArch: noarch

45
qubesroutingmanager/__init__.py
View File

@ -139,15 +139,20 @@ def append_counter_at_end(
) )
def append_rule_after( def _append_or_insert_rule(
address_family: ADDRESS_FAMILIES, table: str, chain: str, handle: int, *rest: str where: Literal["add"] | Literal["insert"],
address_family: ADDRESS_FAMILIES,
table: str,
chain: str,
handle: int,
*rest: str,
) -> None: ) -> None:
subprocess.check_output( subprocess.check_output(
[ [
NFTABLES_CMD, NFTABLES_CMD,
"-n", "-n",
"-j", "-j",
"add", where,
"rule", "rule",
address_family, address_family,
table, table,
@ -160,6 +165,18 @@ def append_rule_after(
) )
def append_rule_after(
address_family: ADDRESS_FAMILIES, table: str, chain: str, handle: int, *rest: str
) -> None:
_append_or_insert_rule("add", address_family, table, chain, handle, *rest)
def insert_rule_before(
address_family: ADDRESS_FAMILIES, table: str, chain: str, handle: int, *rest: str
) -> None:
_append_or_insert_rule("insert", address_family, table, chain, handle, *rest)
def delete_rule( def delete_rule(
address_family: ADDRESS_FAMILIES, table: str, chain: str, handle: int address_family: ADDRESS_FAMILIES, table: str, chain: str, handle: int
) -> None: ) -> None:
@ -245,31 +262,25 @@ def setup_plain_forwarding_for_address(source: str, enable: bool, family: int) -
== ADD_FORWARD_RULE_AFTER_THIS_RULE == ADD_FORWARD_RULE_AFTER_THIS_RULE
) )
def is_postrouting_lo_accept(rule): def is_postrouting_masquerade(rule):
return ( return (
rule["chain"] == postrouting_chain["name"] rule["chain"] == postrouting_chain["name"]
and len(rule["expr"]) == 2 and len(rule["expr"]) == 1
and rule["expr"][0].get("match", {}).get("op", "") == "==" and "masquerade" in rule["expr"][0]
and rule["expr"][0]
.get("match", {})
.get("left", {})
.get("meta", {})
.get("key")
== "oif"
and rule["expr"][0].get("match", {}).get("right", "") == "lo"
and "accept" in rule["expr"][1]
) )
for parent_chain, child_chain_name, previous_rule_detector in [ for parent_chain, child_chain_name, previous_rule_detector, insertor in [
( (
forward_chain, forward_chain,
ROUTING_MANAGER_CHAIN_NAME, ROUTING_MANAGER_CHAIN_NAME,
is_forward_jump_to_custom_forward, is_forward_jump_to_custom_forward,
append_rule_after,
), ),
( (
postrouting_chain, postrouting_chain,
ROUTING_MANAGER_POSTROUTING_CHAIN_NAME, ROUTING_MANAGER_POSTROUTING_CHAIN_NAME,
is_postrouting_lo_accept, is_postrouting_masquerade,
insert_rule_before,
), ),
]: ]:
jump_rule: None | Rule = None jump_rule: None | Rule = None
@ -302,7 +313,7 @@ def setup_plain_forwarding_for_address(source: str, enable: bool, family: int) -
child_chain_name, child_chain_name,
TABLE_NAME, TABLE_NAME,
) )
append_rule_after( insertor(
af, af,
TABLE_NAME, TABLE_NAME,
parent_chain["name"], parent_chain["name"],